Hitting the road: New cyber threats to smart cars

Ever since the infamous simulation of a Jeep Cherokee hack left a Wired reporter stuck on the side of the road, smart-car cyber security discussions have continued to gain traction. While some fears may be overinflated, it's a fact that once something is connected to the Internet, it becomes a potential gateway for cybercrime. This includes the billions of devices that may be connected in the few years as the Internet of Things continues to proliferate.

But among the vast array of IoT systems, cyber attack scenarios against connected cars are undoubtedly some of the most frightening. Let's review some of the newest threats to smart cars:

Killing the battery across the world

In a recent blog post, Trend Micro discussed the alarming findings of computer security researchers Troy Hunt and Scott Helme. The pair found out that an application tied to The Nissan Leaf, which is one of the world's top-selling electric cars, could have certain features controlled from anywhere in the world that has Internet connectivity.

After learning that the Leaf used only the vehicle identification number (VIN) for authentication, Hunt and Helme decided to find out what a remote user might be able to accomplish if they somehow accessed this information. The good news is that because the Leaf does not have a feature that allows for the remote unlocking of doors, the exploit wouldn't necessarily allow a cyber criminal to get into the vehicle. The bad news, however, is that the car doesn't have to be broken into to be compromised.

Some of the useful features of Nissan's application for its connected cars is tracking of distance and travel times as well as battery life, which can all be valuable for maintenance purposes, and the ability to remotely control the car's climate. This latter feature can be handy in the hot summer months or in cold climates, as it allows the driver to walk into a car that is at a comfortable temperature. However, this also means that any person who has the car's VIN and Nissan's application can effectively drain a vehicle's battery. It sounds like a minor defect, but it's actually a huge deal. Imagine if the application allowed for other remote features. What if it could turn the parking break on? What if it could disable the transmission in the event that the vehicle is reported stolen? With poor authentication any remote control features that could be extremely useful for car owners can become threatening.

Gone in 18 seconds

San Diego-based computer science researcher Stephen Savage recently found a way to hijack a smart car 18 seconds with little more than a CD loaded up with the right .WMA file. According to a recent Trend Micro blog post, Savage found that smart car manufacturers will generally have a mix of operating systems onboard the vehicle, some of which are more vulnerable to cyberattacks than others.

In this case, Savage was able to exploit a weak in-vehicle entertainment system. He preloaded a CD with malware, and then played it through the car's sound system, and from there, was able to take control of the vehicle. While not quite as scary as finding that your transmission has been completely cut off while on the freeway, grand theft auto via cyberattack is still quite an unsettling thought, and further highlights just how far we have to go before connected cars can be considered cyber secure. Savage noted that a simple firewall would not have patched the security hole that allowed him to take control of the vehicle.

Comprehensive cyber security is rapidly becoming a top-of-mind issue for automobile manufacturers and third-party software vendors for smart cars. With future of the car is just around the bend, let's hope our vehicles are safe from hackers by the time we get there.